Closed dougburks closed 4 years ago
I've packaged Suricata 4.1.6 and the following package is now available at ppa:securityonion/test
:
securityonion-suricata - 4.1.6-1ubuntu1securityonion2
Please test/verify as follows:
start with a 16.04 box with all stable updates applied
run through Setup, choosing Production Mode, Standalone, Best Practices, and Suricata
snapshot the VM if possible
add the test PPA:
sudo add-apt-repository -y ppa:securityonion/test
install all updates:
sudo soup -y
the Suricata package should back up your existing suricata.yaml,
migrate your HOME_NET and EXTERNAL_NET variables, and tell you that
you need to run sudo rule-update
PLEASE NOTE! suricata.yaml
has recently changed SIGNIFICANTLY. Please sanity-check all options in suricata.yaml
.
if necessary, manually update the new suricata.yaml
for your environment
update rules:
sudo rule-update
verify the new version number:
suricata -V
run through your normal testing in as many different combinations as possible: PF_RING vs AF_PACKET single worker vs multiple workers Please note that AF_PACKET load balancing doesn't appear to work properly when tcpreplay is run on the same box as Suricata. AF_PACKET load balancing should work correctly when connected to a live tap or span port. Alternatively, if you're testing in a VM, you can run tcpreplay on another VM connected to the same virtual network as your Suricata VM.
check sostat
output for anything out of the ordinary (specifically, check the pf_ring and Suricata sections for packet loss)
check log files for any warnings/errors out of the ordinary
reboot and make sure everything still works properly
re-run Setup and make sure everything still works properly
anything else I missed?
Thanks in advance for your time and effort!
tl;dr upgrade was successful.
Still need to do additional testing and let it bake in but so far so good!
No issues during my testing. @Ucnt we don't currently migrate settings for cpu affinity or eve.json
(etc.), however, we may consider doing so in the future.
Thanks, Wes
Thanks @Ucnt and @weslambert !
Published: https://blog.securityonion.net/2019/12/suricata-416-now-available-for-security.html
https://suricata-ids.org/2019/12/13/suricata-4-1-6-released/